Reports Claim Dutch Intelligence Watched Russian Spies Hack the DNC

According to two new reports, agents from the Dutch General Intelligence and Security Service (AIVD) who had access to the computer network of a group of Russian spies witnessed them hacking DNC servers in real time back in 2015. This cyber attack ultimately served as part of the basis for widespread charges of Russian government interference in the 2016 U.S. presidential election.

The reports, which were released on Thursday by Dutch news outlets Nieuwsuur and de Volkskrant, claim that Dutch intelligence not only collected concrete evidence of Russian hack attacks, but shared their findings with the FBI, NSA, and Special Counsel Robert Mueller. Unsurprisingly, this information has reportedly been used to shape U.S. intelligence investigations of alleged Russian interference up to the present day. Additionally, it appears to be the foundation of frequent public assertions by U.S. lawmakers and intelligence heads that they have “high confidence” that Russian President Vladimir Putin personally directed cyber attacks against American institutions in 2015 and 2016.

Both of the Dutch news reports rely exclusively on anonymous sources from Dutch and American intelligence agencies, diplomatic services, and other government divisions. These sources lay out a pretty remarkable narrative about how hackers from AIVD observed Russian agents from the Kremlin’s Foreign Intelligence Service (SVR) going after the DNC, the U.S. State Department, and the Obama White House to pilfer confidential memos and other materials not normally disclosed to the public.

How did Dutch officials know that it was SVR specifically? Apparently, Dutch intelligence was able to identify all Russian officials who were directly involved with the hacks because AIVD agents obtained access to a security camera that overlooked the entrance to the SVR hacking center. Using photographic evidence obtained from the camera’s direct feed, AIVD compiled a list of Russians who entered the hacking center and thusly determined SVR’s ultimate responsibility for the attacks.

If Nieuwsuur and de Volkskrant’s sources are correct about AIVD’s cyber defense operations, this would clearly constitute one of the most important stories about Russian interference yet.

However, there are still outstanding questions about the Dutch reports that need to be considered before taking all of their assertions at face value.

First, neither Dutch outlet has released independent evidence corroborating their sources’ claims. Given the purported existence of reams of pictures taken over the course of one to two years showing every person involved in hacking the DNC in 2015, it is strange that no details have come out about precisely who was involved in the SVR intelligence unit (commonly known as either “Cozy Bear” or “APT 29” by security analysts). Columnist Leonid Bershidsky raised this point (among others) in a piece today for Bloomberg View [emphasis mine]:

But the questions raised by the Dutch scoop are as significant as the gaps it helps to close. If the Dutch witnessed the DNC intrusion in 2015 and reported it to U.S. colleagues, it's difficult to understand why the Russian hackers were left to forage in the DNC network for months without being ejected. After all, Cozy Bear's attacks on the State Department and the White House were actively fought as soon as they became apparent. Allowed to root around the DNC unopposed, Cozy Bear could have harvested much of the material released during the 2016 campaign to embarrass Hillary Clinton and her key supporters within the party. One would expect U.S. intelligence to try to prevent that kind of thing.

(…)

The other important question that arises from the Dutch story is, if the U.S. had specific evidence of the breach and earlier APT 29 efforts, as well as pictures from the security camera at the group's "office," why aren't there any indictments of Russian officials and hackers. The evidence goes back more than three years, and the Dutch intelligence service has long since lost its access, meaning that Cozy Bear figured out it was being watched and, presumably, by what means. There's no longer any reason to protect those sources.

Last November, The Wall Street Journal reported, citing anonymous sources, that the Justice Department had identified "more than six members of the Russian government" involved in the DNC hack but that discussions about the case were "in the early stages." That's difficult to understand if the evidence has been there since 2015.